A serious vulnerability existed in SWARCO Traffic Systems. Exploiting the vulnerability could allow an attacker to disrupt traffic signals.
SWARCO Traffic Systems Vulnerability
A researcher from the cybersecurity firm ProtectEM found a critical vulnerability affecting SWARCO Traffic Systems. The vulnerability, upon exploitation, could allow an attacker to disrupt traffic signals.
As stated in US-CERT advisory, the researcher Martin Aman found the vulnerability, CVE-2020-12493, in SWARCO’s CPU LS4000 traffic light controllers.
It was an improper access control flaw that achieved a CVSS base score of 10.0. Even a low-skilled attacker could easily exploit the bug and disrupt traffic controllers.
Though, exploiting the flaw required physical access to the target controllers. While that reduces the probability of the attack, in case of such an incident, the attacker could deactivate traffic lights causing huge traffic disruptions.
Describing the details of the flaw, the VDE-CERT stated,
An open port used for debugging grants root access to the device without access control via network.
A malicious user could use this vulnerability to get access to the device and disturb operations with connected devices.
Thankfully, no exploitation of the bug in the wild has been detected yet.
As revealed, the vulnerability affected the SWARCO CPU LS4000 with operating systems beginning with G4.
Following the researcher’s report, the vendors worked on a fix to address the flaw. While they have released the patch to fix the bug and close the port, users should make sure to update their systems.
Moreover, US-CERT also advises the users to mitigate the flaw via the following.
- Ensure minimal network exposure of control systems isolating them from the internet.
- Protect the control systems and devices via firewall and segregate them from the business network.
- VPN must be used when remotely accessing the secured devices.
SWARCO is an established vendor of traffic control systems with headquarters in Germany and covering the European region.
Let us know your thoughts in the comments.